Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 240 replies
  • Subscribers 91 subscribers
  • Views 627548 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v17: what's coming next

AlanT

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall

 

 

 

One last tease.. 

    



This thread was automatically locked due to age.
Parents
  • 0

    sorry but after following the XG project for the last 2 years and trying betas and beeing unimpressed and having read promises of "feature parity" and "huge improvments" i am giving up on this one.

    We are a Sophos UTM customer (having deployed another HA cluster last year) since 2010 and currently on year 1/3 of both subscriptions.

    I can only (strongly) emphasise again that with any future end of the Sophos UTM series our business with sophos will end.

    XG is something i wouldn't even want thrown at me for free for home usage or anything because it lacks the functionality, stability and useable! of the UTM that no promised under the hood enhancements will fill.

    The problem Sophos and you probably have with XG right now is that a huge momentum of money and manpower has been invested, killing this XG in favor of something else will probably have jobs and careers ended at Sophos so it will probably be tried to keep alive for as long as possible. But as others mentioned, resubscriptions of XG will tell that story.

    I for one still hope for a change of heart at Sophos to have the "courage" to call this XG a fail, go back to UTM and make that stronger and see to get a new application control and reworked system with something that could be "UTM 10" - The seemless integration of the UTM in exisiting infrastructures through its various modules has been THE strong selling point and why people want to use it. You are slowly using that pro side of the UTM by having (from my point of view) abandonded major development on it.

    What has really hurt the UTM platform is that manpower has been shifted to the XG and thus has been the result of a orphaned application control on the UTM which has many (us included) pushed in a direction, where we will go to combine UTM with a next gen application firewall (testing one soon), XG will not be a part of it.

    I hope you see this post as a kind of an honest statement from a customer side and not just a plea for UTM and bashing of the XG platform, but i am sure you must somehow realize that XG has been a huge failure so far. I hope that focus will be pushed again in a direction of quality in a product that people want.

  • 0 in reply to Ben

    and that's what i've been saying all this time as well, UTM development got killed in favor of the inferior XG -practically once sophos bought Astaro- (check feature requests and lot of stuff that's been asked for years with hundreds of votes and acknowledgement of "future version" and ignored on UTM).

     

    Problem is that according to their statistics "XG is super popular and accepted", statistics that can easily be invalid, for example: i buy an XG box because that's what my distributor has in stock, i INSTANTLY UPGRADE IT to UTM to have an usable product, but for statistics-sake, it's another successful XG sale!.

    every customer in which i've placed an XG wants to kill me, specially if they had/have an UTM and start comparing functionality.

     

    And as you say, too much money has already been put in XG so they can't shelve it now (it should have NEVER left beta until v18 or v19), it's the sunk-cost fallacy all over again, i for one will remain UTM exclusive, when UTM gets EOLd... well i'll see what my options are then(i remain skeptical about XG having critical feature parity at that point)

     

Reply
  • 0 in reply to Ben

    and that's what i've been saying all this time as well, UTM development got killed in favor of the inferior XG -practically once sophos bought Astaro- (check feature requests and lot of stuff that's been asked for years with hundreds of votes and acknowledgement of "future version" and ignored on UTM).

     

    Problem is that according to their statistics "XG is super popular and accepted", statistics that can easily be invalid, for example: i buy an XG box because that's what my distributor has in stock, i INSTANTLY UPGRADE IT to UTM to have an usable product, but for statistics-sake, it's another successful XG sale!.

    every customer in which i've placed an XG wants to kill me, specially if they had/have an UTM and start comparing functionality.

     

    And as you say, too much money has already been put in XG so they can't shelve it now (it should have NEVER left beta until v18 or v19), it's the sunk-cost fallacy all over again, i for one will remain UTM exclusive, when UTM gets EOLd... well i'll see what my options are then(i remain skeptical about XG having critical feature parity at that point)

     

Children
  • 0 in reply to Mast_01

    About a year ago this time I drank the Kool-Aid and did a nine site installation with XG16, my first, after originally pricing them the Sonicwalls as I usually sell.  I also have one in my house (XG115) but still run a Sonicwall at the office.  One of the reasons was because they already used Sophos EP and had a ES1100 mail appliance I was hoping the XG could replace, since the ES1100 is ancient.  I had many days of unbillable time trying to get the firewalls to do basic things that don't require any training or special skills to do with competing products.  I gave up on doing anything with E-mail, was confounded by the firewall rules, IPS, content filtering, VPN, inability to work with SIP trunks, etc., etc.  Nothing worked as you'd expect.  Here we are a year later, with V17 installed on my personal XG115, and I don't feel the ball has really moved.  I'd say they deck chairs have been re-arranged on the Titanic.  The interface is still very slow, just not as slow as it was, many things are still non-intuitive or covered in the GUI, many things still don't work (geo-filtering), lack of logging, etc., etc.  I suspect the reason many on this forum are still even talking XG is they've got some level of history, longer than me, in Sophos firewall products, and have a harder time breaking free and saying enough is enough.  Except for that one customer, I can walk away from it.  Fortunately or unfortunately, I don't think that customer is going to be in business much longer, nothing to do with Sophos I should add, which would resolve the issue of what to do with them.  I didn't come from the old product, so trying to convert them to UTM would be another mountain to climb, especially with all their branch sites being in other states.  I've given up, am in maintenance mode, and will continue to loosely monitor the forum for unexpected breakthroughs or other news relative to my one customer's support.  Luckily the circumstances with that customer are such that I likely won't have to have that awkward conversation about why I sold them what I did.